Soroush Dalili has provided a very useful extensive guide here, which should be used by developers as well as testers.

On this topic, I would also recommend watching the presentation by Wojtek Dworakowski at AppSec EU 2015 in May about E-Banking Transaction Authorization - Common Vulnerabilities, Security Verification And Best Practices For Implementation ( or download.